worm-CliffZou - 1 Modeling, Analysis, and Mitigation of...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts, Amherst Advisor: Weibo Gong, Don Towsley Joint work with Don Towsley, Weibo Gong, Lixin Gao, and Songlin Cai 2 Outline Introduction of epidemic models Two-factor worm model Early detection and monitoring Feedback dynamic quarantine defense Routing worm: a fast, selective attack worm Worm scanning strategies Summary and future work 3 Epidemic Model Simple Epidemic Model Infectious I Susceptible S contact # of contacts I S Simple epidemic model for fixed population homogeneous system: 100 200 300 400 500 600 0.5 1 1.5 2 2.5 3 3.5 x 10 5 I(t) susceptible infectious : # of susceptible : # of hosts : # of infectious : infection ability t 4 Epidemic Model Kermack-McKendrick Model State transition: : # of removed from infectious : removal rate Epidemic threshold theorem : No outbreak happens if susceptible infectious removed 10 20 30 40 1 2 3 4 5 6 7 8 9 10 x 10 5 =0 = N/16 = N/4 = N/2 t where : epidemic threshold 5 Outline Introduction of epidemic models Two-factor worm model Early detection and monitoring Feedback dynamic quarantine defense Routing worm: a fast, selective attack worm Worm scanning strategies Summary and future work 6 Internet Worm Modeling Consider Human Countermeasures Human countermeasures: Clean and patch: download cleaning program, patches. Filter: put filters on firewalls, gateways. Disconnect computers. Reasons for: Suppress most new viruses/worms from outbreak. Eliminate virulent viruses/worms eventually. Removal of both susceptible and infectious hosts. susceptible infectious removed 7 Internet Worm Modeling Two-Factor Worm Model Factor #2: Network congestion Large amount of scan traffic. Most scan packets with unused IP addresses ( 30% BGP routable) Effect: slowing down of worm infection ability Two-factor worm model (extended from KM model): : Slowed down infection ability due to congestion : removal from susceptible hosts. :from infectious 8 Verification of the Two-Factor Worm Model Conclusion: Simple epidemic model overestimates a worms propagation At beginning, we can ignore these two factors. 12:00 14:00 16:00 18:00 20:00 22:00 24:00 2 4 6 8 10 12 x 10 4 UTC hours (July 19 - 20) I(t) Obs erved Data Two-factor model SQL Slammer * * Figure from: D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, Inside the Slammer Worm, IEEE Security & Privacy , July 2003. Code Red 9 Summary of Two-Factor Model Modeling Principle: We must consider the changing environment when we model a dynamic process ....
View Full Document

Page1 / 46

worm-CliffZou - 1 Modeling, Analysis, and Mitigation of...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online